Limiting access to a digital item

ABSTRACT

In a method for limiting access to a digital item, a count for the digital item is stored, wherein the count is a number of accesses permitted for the digital item. A password for accessing the digital item is received. A one-way hash function is performed on the password based on the number of accesses of the count to generate a password hash based on the count. The password hash is stored as the stored password hash.

BACKGROUND

Various forms of digital items are subject to access controls. Thesedigital items include, but are not limited to, virtual appliancesoperating on virtual machines, as well as applications, digital media,and digital documents. There are many reasons as to why this isadvantageous. For instance, the owner of the digital item may wish toensure the security of the digital item. Alternatively, the owner of thedigital item may wish to ensure that they receive compensation for theuse and/or access of the digital item. One way to control access to adigital item is to limit the number of accesses a user may be granted tothe digital item.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are incorporated in and form a part ofthis specification, illustrate various embodiments and, together withthe Description of Embodiments, serve to explain principles discussedbelow. The drawings referred to in this brief description of thedrawings should not be understood as being drawn to scale unlessspecifically noted.

FIG. 1 is an example data flow diagram illustrating initialization of aprocess for limiting the number of accesses to a digital item, inaccordance with embodiments.

FIG. 2 is an example data flow diagram illustrating validation of aprocess for limiting the number of accesses to a digital item, inaccordance with embodiments.

FIG. 3 is an example data flow diagram illustrating updating the storedcount and stored password hash in a process for limiting the number ofaccesses to a digital item, in accordance with embodiments.

FIG. 4 is an example data flow diagram illustrating the changing of apassword in a process for limiting the number of accesses to a digitalitem, in accordance with embodiments.

FIG. 5 is a flow diagram of the initialization in a method of limitingthe number of accesses to a digital item, in accordance with variousembodiments.

FIG. 6 is a flow diagram of access validation in a method of limitingthe number of accesses to a digital item, in accordance with variousembodiments.

FIG. 7 is a flow diagram of the update of the stored count and storedpassword hash in a method of limiting the number of accesses to adigital item, in accordance with various embodiments.

FIG. 8 is a flow diagram of the change of a password in a method oflimiting the number of accesses to a digital item, in accordance withvarious embodiments.

DESCRIPTION OF EMBODIMENTS

Reference will now be made in detail to various embodiments, examples ofwhich are illustrated in the accompanying drawings. While variousembodiments are discussed herein, it will be understood that they arenot intended to be limiting. On the contrary, the presented embodimentsare intended to cover alternatives, modifications and equivalents, whichmay be included within the spirit and scope the various embodiments asdefined by the appended claims. Furthermore, in this Description ofEmbodiments, numerous specific details are set forth in order to providea thorough understanding. However, embodiments may be practiced withoutone or more of these specific details. In other instances, well knownmethods, procedures, components, and circuits have not been described indetail as not to unnecessarily obscure aspects of the describedembodiments.

Notation and Nomenclature

Unless specifically stated otherwise as apparent from the followingdiscussions, it is appreciated that throughout the present Descriptionof Embodiments, discussions utilizing terms such as “storing,”“receiving,” “performing,” “accessing,” “validating,” “denying,”“granting,” “decrementing,” “generating,” “taking,” or the like, oftenrefer to the actions and processes of an electronic computing device orsystem, such as a virtual machine, among others. In some embodiments,the electronic computing device/system may be a portion of a distributedcomputing system. The electronic computing device/system transmits,receives, stores, manipulates and/or transforms signals represented asphysical (electrical) quantities within the circuits, components, logic,and the like, of the electronic computing device/system into othersignals similarly represented as physical electrical quantities withinthe electronic computing device/system or within or transmitted to otherelectronic computing devices/systems.

Overview of Discussion

In accordance with various described embodiments, one way to controlaccess to a digital item is to limit the number of accesses a user maybe granted to the digital item. These digital items include, but are notlimited to, virtual appliances operating on virtual machines, virtualmachines, as well as applications, digital media, and digital documents.Conventional techniques for limiting the number of accesses to a digitalitem are typically reliant on the security of the access system. Forexample, the number of permitted accesses to a particular digital item,referred to herein as the “count” or the “stored count” is typicallystored in a file, referred to herein as an “access count file.”Circumventing conventional techniques for limiting the number ofaccesses to a digital item is as simple as modifying the count withinthe access count file. For example, if a user wants to gain moreaccesses to a digital item, increasing the number of the count willgrant them additional accesses.

Systems for limiting the number of accesses to a digital item may beimplemented locally or over a distributed computer network, e.g.,deployed in a cloud computing environment. Moreover, these systems maybe private or public. As such, certain users may be able to access thesesystems, and the respective access count files, depending on thesecurity measures taken. For example, someone skilled in circumventingsecurity systems of computer systems, such as a hacker, or someonegranted extensive administrative privileges to a system, such as asuperuser, can easily gain access to and modify the access count file.

Embodiments described herein relate to methods and systems for limitingaccess to a digital item. The described embodiments associate a one-waypassword hash and a count of the number of permitted accesses with thedigital item. A one-way hash function is performed on the password basedon the number of permitted accesses of the count. At initialization andat each access, a password hash is generated using a one-way hashfunction and is stored. On granted accesses, the count is decrementedand the password hash is updated based on the decremented count. At anaccess request, the same one-way hash function is performed on theentered password based on the count. If the result of the one-wayoperation on the entered password matches the stored password hashaccess is granted.

Tampering with the count in an attempt to increase the number ofaccesses will not succeed in exceeding the number of accesses to thedigital item. For example, if the count is modified, the one-way hash ofthe entered password will not match the stored password hash, since bothare based on the stored count.

Herein various systems, methods and techniques for limiting the numberof accesses to a digital item are described which utilize one-way hashfunction based on the number of permitted accesses to the digital item.

Discussion begins with a description of flow diagrams illustratingportions of a process for limiting the number of accesses to a digitalitem. Operation of various components of a system for limiting thenumber of accesses to a digital item is further described in conjunctionwith description of various methods associated with limiting the numberof accesses to a digital item.

Example Flow Diagrams for Limiting the Number of Accesses to a DigitalItem

FIG. 1 is an example data flow diagram 100 illustrating initializationof a process for limiting the number of accesses to a digital item, inaccordance with various embodiments. As depicted, access count file 110includes the count of the number permitted accesses for a digital item.It should be appreciated that the count of permitted accesses can bestored in different ways, and is not limited to storage in an accesscount file 110. Moreover, it should be appreciated that access countfile 110 can be stored locally or remotely, e.g., in a cloud computingenvironment.

At initialization, a password 105 for accessing a particular digitalitem is received. In one embodiment, password 105 is associated with aparticular user, e.g., as identified by a username. In one embodiment, aLightweight Directory Access Protocol (LDAP) server is implemented forhandling password hash storage and validation. For instance, ActiveDirectory (AD) utilizing LDAP may be used.

One-way hash function 120 receives password 105 and receives storedcount 115 from access count file 110. In one embodiment, a user issupplied with password 105. In another embodiment, a user selectspassword 105. It should be appreciated that in various embodiments,password 105 is not stored, but rather a hash of password 105 (e.g.,password hash 135) is stored. In one embodiment, password 105 isprovided as input from a user, e.g., received at a keyboard ortouchscreen device. In another embodiment, password 105 is stored on adevice (e.g., a magnetic card or thumb drive) and is read by acorresponding input device (e.g., a magnetic card reader or computingsystem).

One-way hash function 120 is configured to perform a one-way hashfunction on password 105 based on the number of the stored count. Forpurposes of the instant description of embodiments, a one-way hashfunction refers to an operation that converts input text into an outputstring, referred to as a hash, but is computationally very difficult toretrieve or compute the input text from the output string. Moreover,one-way hash functions may also have the properties whereby it isinfeasible to generate a particular hash without knowing both the inputand the type of hash function being utilized and it is infeasible tomodify the input text without changing the hash. Many different one-wayhash functions are known to those of skill in the art. For example, andwithout limitation, some one-way hash functions include: MD2, MD4, MD5,RIPEMD, RIPEMD-128, RIPEMD-160, RIPEMD-256, RIPEMD-320, SHA-0, SHA-1,SHA-2, SHA-3, SHA-224, SHA-256, SHA-384, and SHA-512.

In the following example, one-way hash function SHA-256 is used generatehash values for the inputs “10” and “100.” Note that the hash values for10 and 100 are very different. It is also very difficult to determinethe original values of 10 and 100 from their hashes.

-   -   SHA256(“10”)=0x917df3320d778ddbaa5c5c7742bc4046bf803c36ed2b05        0f30844ed206783469    -   SHA256(“100”)=0xd98fad9074a4b77614bd8b62a73a7dff5928dd0e4a412        3400762ed10af19cd92

In one embodiment, one-way hash function 120 performs a one-way hashfunction on password 105 a number of times corresponding to the numberof stored count 115. For example, where n accesses to the digital itemremain, such that the value of stored count 115 is n, one-way hashfunction 120 performs a one-way hash function on password 105 n numberof times. That is, one-way hash function 120 would perform a one-wayhash function on password 105 to generate an intermediate password hash.In one embodiment, one-way hash function 120 would perform the one-wayhash function on successive intermediate password hashes until theone-way hash function has been performed n number of times.

In one embodiment, one-way hash function 120 performs a one-way hashfunction on password 105 using the same one-way hash function. Inanother embodiment, one-way hash function 120 performs a one-way hashfunction on password 105 using a combination of different one-way hasfunctions. In one embodiment, one-way hash function 120 can cyclethrough a predetermined order of different one-way hash functions.One-way hash function 120 can maintain a list of various one-way hashfunctions, such that where multiple one-way hash functions are usedbased on the count, the one-way hash functions of the list are cycledthrough according to the number of stored count 115. For example, wherethe stored count 115 is five, and one-way hash function 120 performsfive one-way hash functions on a password 105, each successive one-wayhash function can be different. For example, all odd one-way hashfunctions can use SHA-256 and all even one-way hash functions can useSHA-384. It should be appreciated that any ordering of one-way hashfunctions can be used in accordance with the described embodiments, solong as the same ordering of one-way hash functions is used to validateaccess to the item, as described below in accordance with FIG. 2.

It should be appreciated that the one-way hash function can be performedon password 105 in other ways, and is not limited to the precedingembodiment. For example, in another embodiment, one-way hash function120 performs a one-way hash function on password 105 a number of timescorresponding to a multiple of the number of stored count 115. Inanother embodiment, one-way hash function 120 performs a one-way hashfunction on password 105 a number of times corresponding to an offset ofthe number of stored count 115. In other words, while the one-way hashfunction is performed on password 105 a number of times based on thenumber of stored count 115, it is not limited to being performed thenumber of times of stored count 115. In contrast, embodiments performthe one-way hash function on password 105 a number of times based on thenumber of stored count 115.

As depicted, password hash 135 includes the output of one-way hashfunction 120 after a one-way hash function has been performed onpassword 105 count number of times. In one embodiment, password hash 135is stored in password hash file 130. It should be appreciated thatpassword hash 135 can be stored in different ways, and is not limited tostorage in password hash file 130. Moreover, it should be appreciatedthat password hash file 130 can be stored locally or remotely, e.g., ina cloud computing environment.

Furthermore, as depicted in FIG. 1, in various embodiments, access countfile 110 and password hash file 130 can be comprised within a singlefile, such as file 150. However, it should be appreciated that accesscount file 110 and password hash file 130 need not be comprised withinthe same file 150. For instance, having them in different files and atdifferent locations might provide better security. It should also beappreciated that access count file 110, password hash file 130, and file150 can be stored in different ways, and can be stored locally orremotely, e.g., in a cloud computing environment.

FIG. 2 is an example data flow diagram 200 illustrating validation in aprocess for limiting the number of accesses to a digital item, inaccordance with various embodiments. As depicted, password 105 isreceived as part of an access request for a particular digital item. Inone embodiment, password 105 is provided as input from a user, e.g.,received at a keyboard or touchscreen device. In another embodiment,password 105 is stored on a device (e.g., a magnetic card or thumbdrive) and is read by a corresponding input device (e.g., a magneticcard reader or computing system).

One-way hash function 120 receives password 105 and receives storedcount 115 from access count file 110. One-way hash function 120 isconfigured to perform a one-way hash function on password 105 based onthe number of the stored count. Access password hash 210 is generated byperforming the one-way hash function based on the stored count 115. Inone embodiment, one-way hash function 120 performs a one-way hashfunction on password 105 a number of times equal to the number of storedcount 115. In another embodiment, one-way hash function 120 performs aone-way hash function on password 105 a number of times equal to amultiple of the number of stored count 115. In another embodiment,one-way hash function 120 performs a one-way hash function on password105 a number of times equal to an offset of the number of stored count115. It should be appreciated that one-way hash function 120 performsthe one-way hash function on password 105 in the same way as storedpassword hash 135 was generated.

In one embodiment, one-way hash function 120 performs a one-way hashfunction on password 105 using the same one-way hash function. Inanother embodiment, one-way hash function 120 performs a one-way hashfunction on password 105 using a combination of different one-way hasfunctions. In one embodiment, one-way hash function 120 can cyclethrough a predetermined order of different one-way hash functions.One-way hash function 120 can maintain a list of various one-way hashfunctions, such that where multiple one-way hash functions are usedbased on the count, the one-way hash functions of the list are cycledthrough according to the number of stored count 115. It should beappreciated that any ordering of one-way hash functions can be used inaccordance with the described embodiments, so long as the same orderingused in validating access to the item is used in the generation ofstored password hash 135.

As depicted, access password hash 210 includes the output of one-wayhash function 120 after a one-way hash function has been performed onpassword 105 based on the number of stored count 115.

Access validator 220 receives access password hash 210 and storedpassword hash 135. Access validator 220 compares access password hash210 to stored password hash 135. If access password hash 210 and storedpassword hash 135 are not the same, access to the digital item isdenied. Alternatively, if access password hash 210 and stored passwordhash 135 are equal, access to the digital item is granted. It should beunderstood that if the count in access count file 110 is tampered with,the access password 105 will be hashed an incorrect number of times andaccess password hash 210 will not match the stored password hash 135.Thus, tampering with the count does not succeed in gaining unauthorizedaccess.

FIG. 3 is an example data flow diagram 300 illustrating updating thestored count and stored password hash in a process for limiting thenumber of accesses to a digital item, in accordance with embodiments. Asdepicted, responsive to access being granted to the digital item, accesscount 110 is decremented. For example, where the value of stored count115 is n, the value of stored count 115 is updated to n−1. In oneembodiment, access validator 220 decrements stored count 115 upongranting access, as shown at arrow 310.

One-way hash function 120 then performs a one-way hash function onpassword 105 n−1 number of times, which is the value of stored count115. Password hash 135 is generated by one-way hash function 120 and isstored in password hash file 130, replacing the previous password hash135. In this way, access count file 110 and password hash file 130 or,in another embodiment, file 150, are updated to reflect that theremaining available accesses for the digital item is reflected as storedcount 115 and that password hash 135 corresponds to stored count 115. Inone embodiment, prior to replacing the previous password hash 135, thenew password hash 135 is committed to persistent memory and is confirmedaccessible. Once the new password hash 135 is confirmed accessible, theprevious password hash 135 is deleted and replaced with the new passwordhash 135.

FIG. 4 is an example data flow diagram 400 illustrating the changing ofa password in a process for limiting the number of accesses to a digitalitem, in accordance with various embodiments. In the event that apassword for accessing a digital item is changed, the correspondingpassword hash is updated to ensure that access to the digital item ismaintained.

In accordance with various embodiments, password updater 410 receives anindication that password 105 has changed. It should be appreciated thatthe mechanism for verifying and performing the password change ismanaged separately, for instance, at an LDAP server or by AD. Passwordupdater 410 receives the indication of the change, as well as thechanged password 105.

One-way hash function 120 receives password 105 and receives storedcount 115 from access count file 110. One-way hash function 120 isconfigured to perform a one-way hash function on password 105 based onthe number of the stored count. In one embodiment, one-way hash function120 performs a one-way hash function on password 105 a number of timescorresponding to the number of stored count 115.

It should be appreciated that the one-way hash function can be performedon password 105 in other ways, and is not limited to the precedingembodiment. For example, in another embodiment, one-way hash function120 performs a one-way hash function on password 105 a number of timescorresponding to a multiple of the number of stored count 115. Inanother embodiment, one-way hash function 120 performs a one-way hashfunction on password 105 a number of times corresponding to an offset ofthe number of stored count 115. In other words, while the one-way hashfunction is performed on password 105 a number of times based on thenumber of stored count 115, it is not limited to being performed thenumber of times of stored count 115. In contrast, embodiments performthe one-way hash function on password 105 a number of times based on thenumber of stored count 115.

As depicted, password hash 135 includes the output of one-way hashfunction 120 after a one-way hash function has been performed onpassword 105 count number of times. In one embodiment, the updatedpassword hash 135 is stored in password hash file 130, replacing theprevious password hash 135.

Example Methods of Operation

The following discussion sets forth in detail the operation of someexample methods of operation of embodiments. With reference to FIGS. 5through 8, flow diagram 500, 600, 700 and 800 illustrate exampleprocedures used by various embodiments. Flow diagrams 500, 600, 700 and800 include some procedures that, in various embodiments, are carriedout by a processor under the control of computer-readable andcomputer-executable instructions. In this fashion, procedures describedherein and in conjunction with flow diagrams 500, 600, 700 and/or 800are, or may be, implemented using a computer, in various embodiments.The computer-readable and computer-executable instructions, e.g.,computer readable program code, can reside in any tangible computerreadable storage media. Some non-limiting examples of tangible computerreadable storage media include random access memory, read only memory,magnetic disks, solid state drives/“disks,” and optical disks, any orall of which may be employed. The computer-readable andcomputer-executable instructions, which reside on tangible computerreadable storage media, are used to control or operate in conjunctionwith, for example, one or some combination of processors of a computingsystem. It is appreciated that the processor(s) may be physical orvirtual or some combination (it should also be appreciated that avirtual processor is implemented on physical hardware).

Although specific procedures are disclosed in flow diagrams 500, 600,700 and 800, such procedures are examples. That is, embodiments are wellsuited to performing various other procedures or variations of theprocedures recited in flow diagram 500, 600, 700 and/or 800. Likewise,in some embodiments, the procedures in flow diagrams 500, 600, 700and/or 800 may be performed in an order different than presented and/ornot all of the procedures described in one or more of these flowdiagrams may be performed. It is further appreciated that proceduresdescribed in flow diagram 500, 600, 700 and/or 800 may be implemented inhardware, or a combination of hardware with firmware and/or software.

FIG. 5 is a flow diagram 500 of the initialization of a method oflimiting the number of accesses to a digital item, in accordance withvarious embodiments. It should be appreciated that digital items mayinclude, but are not limited to, virtual appliances operating on virtualmachines, virtual machines, as well as applications, digital media, anddigital documents.

At procedure 510 of flow diagram 500, in one embodiment, a count for thedigital item is stored, wherein the count is a number of accessespermitted for the digital item. In one embodiment, the count is storedin an access count file, e.g., access count file 110 of FIG. 1.

At procedure 520, a password for accessing the digital item is received.In one embodiment, the password is associated with a particular user,e.g., as identified by a username. In one embodiment, the password isprovided as input from a user, e.g., received at a keyboard ortouchscreen device. In another embodiment, the password is stored on adevice (e.g., a magnetic card or thumb drive) and is read by acorresponding input device (e.g., a magnetic card reader or computingsystem).

At procedure 530, a one-way hash function is performed on the passwordbased on the number of accesses of the count to generate a password hashbased on the count. In one embodiment, as shown at procedure 532, theone-way hash function is performed on the password the number of thecount times. In another embodiment, as shown at procedure 534, theone-way hash function is performed on the password a multiple of thenumber of the count times. In another embodiment, as shown at procedure536, the one-way hash function is performed on the password an offset ofthe number of the count times.

At procedure 540, the password hash is stored as the stored passwordhash.

FIG. 6 is a flow diagram 600 of access validation in a method oflimiting the number of accesses to a digital item, in accordance withvarious embodiments.

At procedure 610 of flow diagram 600, in one embodiment, a request toaccess the digital item is received, the request including the password.In one embodiment, the password is provided as input from a user, e.g.,received at a keyboard or touchscreen device. In another embodiment, thepassword is stored on a device (e.g., a magnetic card or thumb drive)and is read by a corresponding input device (e.g., a magnetic cardreader or computing system).

At procedure 620, the count for the digital item is accessed.

At procedure 630, a one-way hash function is performed on the passwordbased on the number of accesses of the count to generate an accesspassword hash based on the count. It should be appreciated that theone-way hash function can be performed in different ways, so long as theone-way hash function is based on the count and is performed in the samemanner as described in procedure 530 of FIG. 5.

At procedure 640, the request is validated by comparing the storedpassword hash to the access password hash. As shown at procedure 642, itis determined whether the stored password hash matches the accesspassword hash.

If the stored password hash does not match the access password hash, asshown at procedure 650, access to the digital item is denied.Alternatively, if the stored password hash matches the access passwordhash, as shown at procedure 652, access to the digital item is granted.In one embodiment, flow diagram 600 proceeds to procedure 710 of flowdiagram 700.

FIG. 7 is a flow diagram 700 of the update of the stored count andstored password hash in a method of limiting the number of accesses to adigital item, in accordance with various embodiments. It should beappreciated that in accordance with various embodiments, flow diagram700 is performed responsive to granting access to a digital item.

At procedure 710 of flow diagram 700, the count is decremented togenerate a decremented count. For example, where the value of storedcount 115 is n, the value of stored count 115 is updated to n−1.

At procedure 720, the decremented count is stored as the count.

At procedure 730, the one-way hash function is performed on the passwordbased on the number of accesses of the count to generate an updatedpassword hash based on the decremented count.

At procedure 740, the updated password hash is stored as the storedpassword hash.

In one embodiment, as shown at procedure 750, it is determined whetherthe count is decremented to a value indicating the access to the digitalitem is not available.

If it is determined that the count is not decremented to a valueindicating the access to the digital item is not available, as shown atprocedure 760, no action is taken.

If it is determined that the count is decremented to a value indicatingthe access to the digital item is not available, as shown at procedure770, an indication that access to the digital item is denied is stored.In one embodiment, as shown at procedure 772, a random hash isgenerated. At procedure 774, the random hash is stored as the passwordhash.

FIG. 8 is a flow diagram 800 of the change of a password in a method oflimiting the number of accesses to a digital item, in accordance withvarious embodiments.

At procedure 810 of flow diagram 800, responsive to receiving anindication that the password has changed to an updated password, theone-way hash function is performed on the updated password based on thenumber of accesses of the count to generate an updated password hashbased on the count.

At procedure 820, the updated password hash is stored as the storedpassword hash.

While various embodiments describe herein refer to the access of digitalitems, it should be appreciated that other embodiments are envisionedthat are directed towards the access of physical items. For instance,the described systems and methods can be used to control access tophysical items by limiting how many times the physical item can beaccessed. By way of non-limiting example, a digital lock implementingthe described embodiments can be used to limit access to physical items,such as a bank vault, a safe, a room, a house, etc.

In another example, a gaming system in an arcade may be protected bylimiting access to a number of prepaid plays. Rather than using money ortokens in the gaming system directly, a password is provided. Each timethe gaming system is played, the user enters the password. The gamingsystem employs the described embodiments to limit the number of plays(e.g., accesses) of the gaming system. In another example, rides on amotorized transport (e.g., a bus, a subway, or a theme park ride) arecontrolled according to the described embodiment. The user procures aparticular number of rides and receives a password. The access to ridesis limited to the number of rides the user buys. In one embodiment, thepassword is stored on a device, e.g., a magnetic card, that can be readby a corresponding device.

Example embodiments of the subject matter are thus described. Althoughvarious embodiments of the have been described in a language specific tostructural features and/or methodological acts, it is to be understoodthat the appended claims are not necessarily limited to the specificfeatures or acts described above. Rather, the specific features and actsdescribed above are disclosed as example forms of implementing theclaims and their equivalents.

What is claimed is:
 1. A computer-implemented method for limiting accessto a digital item, the method comprising: storing a count for thedigital item in an access count file by a computer, where the count is anumber of accesses permitted for the digital item by a user; receiving apassword of the user for accessing the digital item by the computer;performing a one-way hash function by the computer on the password basedon the number of accesses of the count, to generate a password hashbased on the count; storing the password hash as a stored password hashby the computer; receiving a request to access the digital item at thecomputer, the request comprising the password; accessing the count forthe digital item by the computer from the access count file; performingthe one-way hash function on the password based on the number ofaccesses of the count, to generate an access password hash based on thecount; validating the request by comparing the stored password hash tothe access password hash, provided the stored password hash matches theaccess password hash, granting access to the digital item; anddecrementing the count and updating the stored password hash.
 2. Thecomputer-implemented method of claim 1, wherein the performing a one-wayhash function on the password comprises: performing the one-way hashfunction on the password the number of the count times.
 3. Thecomputer-implemented method of claim 1, wherein the performing a one-wayhash function on the password comprises: performing the one-way hashfunction on the password a multiple of the number of the count times. 4.The computer-implemented method of claim 1, wherein the performing aone-way hash function on the password comprises: performing the one-wayhash function on the password an offset of the number of the counttimes.
 5. The computer-implemented method of claim 1 further comprising:responsive to the granting access to the digital item: decrementing thecount to generate a decremented count; storing the decremented count asthe count; performing the one-way hash function on the password based onthe number of accesses of the count, to generate an updated passwordhash based on the decremented count; and replacing the stored passwordhash by storing the updated password hash as the stored password hash.6. The computer-implemented method of claim 5 further comprising:provided the count is decremented to a value indicating the access tothe digital item is not available, storing an indication that access tothe digital item is denied.
 7. The computer-implemented method of claim6, wherein the storing an indication that access to the digital item isdenied comprises: generating a random hash; and storing the random hashas the stored password hash.
 8. The computer-implemented method of claim1 further comprising: responsive to receiving an indication that thepassword has changed to an updated password, performing the one-way hashfunction on the updated password based on the number of accesses of thecount, to generate an updated password hash based on the count; andstoring the updated password hash as the stored password hash.
 9. Thecomputer-implemented method of claim 1, wherein the digital item isselected from a list consisting of: a virtual appliance; a virtualmachine; an application; a digital media item; and a digital documentfile.
 10. The computer-implemented method of claim 1, wherein thevalidating the request comprises: provided the stored password hash doesnot match the access password hash, denying access to the digital item.11. A computer-implemented method for limiting access to an item, themethod comprising: storing a count for the item in an access count fileby a computer, where the count is a number of accesses permitted for theitem by a user; receiving a password of the user for accessing the itemby the computer; performing a one-way hash function by the computer onthe password based on the number of accesses of the count, to generate apassword hash based on the count; storing the password hash as a storedpassword hash by the computer; responsive to granting access to the itembased on a comparison between a newly calculated password hash and thestored password hash: decrementing the count to generate a decrementedcount by the computer; storing the decremented count as the count by thecomputer; performing the one-way hash function by the computer on thepassword based on the number of accesses of the count, to generate anupdated password hash based on the decremented count; and replacing thestored password hash by storing the updated password hash as the storedpassword hash by the computer.
 12. The computer-implemented method ofclaim 11 further comprising validating a request to access the itemprior to the granting access to the item, the validating the request toaccess the item comprising: receiving the request to access the item,the request comprising the password; accessing the count for the itemfrom the access count file; performing the one-way hash function on thepassword based on the number of accesses of the count, to generate anaccess password hash based on the count; and validating the request bycomparing the stored password hash to the access password hash, whereinprovided the stored password hash matches the access password hash,access is granted to the item.
 13. The computer-implemented method ofclaim 11, wherein the performing a one-way hash function on the passwordcomprises: performing the one-way hash function on the password thenumber of the count times.
 14. The computer-implemented method of claim11, wherein the performing a one-way hash function on the passwordcomprises: performing the one-way hash function on the password amultiple of the number of the count times.
 15. The computer-implementedmethod of claim 11, wherein the performing a one-way hash function onthe password comprises: performing the one-way hash function on thepassword an offset of the number of the count times.
 16. Thecomputer-implemented method of claim 11, wherein the item is a digitalitem.